Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiWeb 7.0.4 Administration Guide
    7.0.4
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.10
    7.0.9
    7.0.8
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.2
    6.4.1
    6.4.0
    6.3.23
    6.3.19
    6.3.18
    6.3.17
    6.3.16
    6.3.15
    6.3.14
    6.3.13
    6.3.11
    6.3.10
    6.3.9
    6.3.7
    6.3.6
    6.3.5
    6.3.4
    6.3.3
    6.3.2
    6.3.1
    6.3.0
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.2
    6.1.1
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Compression

    Compression

    Similar to SSL/TLS, you can completely offload compression to FortiWeb to save resources on your web servers.

    Configuring compression exemptions

    If necessary, you can exempt HTTP Host: names and URLs from compression by FortiWeb. Generally, if a specific web server already applies compression, and if a specific response never needs to be scanned, compressed, or rewritten, it should be exempt from compression by FortiWeb.

    If compressed, a request or response usually cannot be scanned, rewritten, or otherwise modified by FortiWeb. If you exempt vulnerable URLs, this will compromise the security of your network.
    To configure a rule exclusion
    1. Go to Application Delivery > Compression and select the Exclusion Rule tab.

      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    2. Click Create New.
    3. In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    4. Click OK.
    5. Click Create New.
    6. Enable Host Status to require that the Host: field of the HTTP request match a protected host names entry in order to match the exclusion.

      7. Also configure Host.

    7. From the Host drop-down list, select which protected host entry that the Host: field of the HTTP request must be in to match the exclusion.

      8. This option is available only if Host Status is enabled.

    8. In Request URL, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.

      9. The URL must begin with a slash ( / ). The URL must not include the domain or IP address.

    9. Click OK.
    10. Include the exception in a compression policy. For details, see Configuring compression offloading.

    Configuring compression offloading

    Most web servers can be configured to compress files when responding to a request. Compressed files often reduce bandwidth, and can result in faster delivery time to clients. Modern browsers automatically decompress files before displaying the web pages.

    To successfully decompress and read the response, clients use the corresponding decompression algorithm. Web servers include an HTTP header such as:

    Content-Encoding: gzip


    to indicate which algorithm was used to compress the HTTP body:

    ^_<8B>^H^H+h,M^@^Cimage.png^@<EC><FC>St<AE>K<D4><EF><8B><C6>^\1G<AC>^Q<DB>

    <U+0588>Fl۶m۶m۶m<DB>^Y<D1>N<E6><9C><DF>^<AB><B5>sq<CE><D5><D9><FB>b<A5><B5>\<BC><EF><F3>T/<F5><AA><EA><BF>^?<F5>$DZR^X^F

    ^C

    ^@^@^@揈<80>,^@^@ <EF><D7><EF>6^D<D8><D7>7<F3><E1><F5>^B^@^@x^@^?^D<F8><E4><9D>

    (content truncated)

    To gain the benefits that compression offers, and not to configure it on your web servers, you can offload compression to FortiWeb instead.

    If your web servers are starved for CPU cycles and RAM, offloading compression from your web servers to FortiWeb can alleviate that bottleneck and improve performance.

    Based upon the HTTP Content-Type: headers that you select (which correspond to Internet file type/MIME type categories such as images and XML), FortiWeb will compress matching responses. The total size of a large web page with lengthy JavaScripts and CSS, while in transit, could be many times smaller.

    The maximum pre-compressed file size that FortiWeb can compress is 128 KB. Files larger than that limit will be transmitted without compression.

    For example, a typical web page is comprised of several responses, such as an HTML document:

    Content-Type: text/html

    perhaps several images:

    Content-Type: image/png

    and a JavaScript:

    Content-Type: text/javascript

    If your protected web servers do not already apply compression, and you configure a compression policy for text/html and text/javascript, those typically lengthy and repetitive text-based documents can be efficiently compressed into much smaller responses. If bandwidth between server and client is the performance bottleneck, this could improve performance dramatically.

    Not all HTTP clients support compression: RPC clients, for example, transmit binary data and do not support compression. For those host names and/or URLs, you should create exceptions.

    To configure a file compression policy
    1. Before you configure file compression, configure the exceptions, if any. For details, see Configuring compression exemptions.
      2. If your web servers are already configured to compress responses, you should either disable compression on the server, or configure exceptions for URLs hosted by that server. Otherwise, in some cases, FortiWeb might expend resources compressing responses that have already been compressed by the server. This can cause performance to decrease instead of increase.
    2. Go to Application Delivery > Compression and select the File Compress Policy tab.

      3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.
    4. Configure these settings:

      Name

      Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

      Compression Type

      Select the compression method for the content type(s) that you specify later:

      Compression Level

      This option is available only when you select Brotli for the Compression Type. Select the compression level. The valid range is 1–11.

      Exclusion Rule

      Select an existing exclusion rule, if any, to apply to the policy. For details, see Configuring compression exemptions.

      Optionally, select an exclusion rule and click the Detail link. The exclusion dialog appears. You can view and edit the exclusion rule from here. Use the browser Back button to return.

    5. Click OK.
    6. To add or remove a content type, click Create New.
    7. In the Content Types list, select the content types that you want to compress, then click the right arrow (->) to move them to the Allow Types list.

      For external JavaScripts, content type strings vary. If you are unsure of the content type string, for maximum coverage, select all JavaScript content type strings. However, due to wide browser compatibility, despite its current deprecated status, many web servers use text/javascript.

      These apply compression only to JavaScripts that are external to a web page — that is, not directly embedded in a <script> tag or inline in the HTML document itself, but instead included via reference to a JavaScript file, such as <script src="/nav/menu.js">, and therefore are contained in a separate HTTP response from the HTML document. Likewise, selecting the text/css content type for compression will only compress external CSS. It will not compress CSS embedded directly within the HTML file. (Embedded CSS or JavaScript are governed by Content-Type: text/html instead.)
    8. Click OK.
    9. To apply the compression policy, select it in an inline protection profile used by a server policy. For details, see Configuring a protection profile for inline topologies.
    See also
    Previous
    Next

    Compression

    Compression

    Similar to SSL/TLS, you can completely offload compression to FortiWeb to save resources on your web servers.

    Configuring compression exemptions

    If necessary, you can exempt HTTP Host: names and URLs from compression by FortiWeb. Generally, if a specific web server already applies compression, and if a specific response never needs to be scanned, compressed, or rewritten, it should be exempt from compression by FortiWeb.

    If compressed, a request or response usually cannot be scanned, rewritten, or otherwise modified by FortiWeb. If you exempt vulnerable URLs, this will compromise the security of your network.
    To configure a rule exclusion
    1. Go to Application Delivery > Compression and select the Exclusion Rule tab.

      To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    2. Click Create New.
    3. In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    4. Click OK.
    5. Click Create New.
    6. Enable Host Status to require that the Host: field of the HTTP request match a protected host names entry in order to match the exclusion.

      7. Also configure Host.

    7. From the Host drop-down list, select which protected host entry that the Host: field of the HTTP request must be in to match the exclusion.

      8. This option is available only if Host Status is enabled.

    8. In Request URL, enter a literal URL, such as /folder1/index.htm that the HTTP request must contain in order to match the rule, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm.

      9. The URL must begin with a slash ( / ). The URL must not include the domain or IP address.

    9. Click OK.
    10. Include the exception in a compression policy. For details, see Configuring compression offloading.

    Configuring compression offloading

    Most web servers can be configured to compress files when responding to a request. Compressed files often reduce bandwidth, and can result in faster delivery time to clients. Modern browsers automatically decompress files before displaying the web pages.

    To successfully decompress and read the response, clients use the corresponding decompression algorithm. Web servers include an HTTP header such as:

    Content-Encoding: gzip


    to indicate which algorithm was used to compress the HTTP body:

    ^_<8B>^H^H+h,M^@^Cimage.png^@<EC><FC>St<AE>K<D4><EF><8B><C6>^\1G<AC>^Q<DB>

    <U+0588>Fl۶m۶m۶m<DB>^Y<D1>N<E6><9C><DF>^<AB><B5>sq<CE><D5><D9><FB>b<A5><B5>\<BC><EF><F3>T/<F5><AA><EA><BF>^?<F5>$DZR^X^F

    ^C

    ^@^@^@揈<80>,^@^@ <EF><D7><EF>6^D<D8><D7>7<F3><E1><F5>^B^@^@x^@^?^D<F8><E4><9D>

    (content truncated)

    To gain the benefits that compression offers, and not to configure it on your web servers, you can offload compression to FortiWeb instead.

    If your web servers are starved for CPU cycles and RAM, offloading compression from your web servers to FortiWeb can alleviate that bottleneck and improve performance.

    Based upon the HTTP Content-Type: headers that you select (which correspond to Internet file type/MIME type categories such as images and XML), FortiWeb will compress matching responses. The total size of a large web page with lengthy JavaScripts and CSS, while in transit, could be many times smaller.

    The maximum pre-compressed file size that FortiWeb can compress is 128 KB. Files larger than that limit will be transmitted without compression.

    For example, a typical web page is comprised of several responses, such as an HTML document:

    Content-Type: text/html

    perhaps several images:

    Content-Type: image/png

    and a JavaScript:

    Content-Type: text/javascript

    If your protected web servers do not already apply compression, and you configure a compression policy for text/html and text/javascript, those typically lengthy and repetitive text-based documents can be efficiently compressed into much smaller responses. If bandwidth between server and client is the performance bottleneck, this could improve performance dramatically.

    Not all HTTP clients support compression: RPC clients, for example, transmit binary data and do not support compression. For those host names and/or URLs, you should create exceptions.

    To configure a file compression policy
    1. Before you configure file compression, configure the exceptions, if any. For details, see Configuring compression exemptions.
      2. If your web servers are already configured to compress responses, you should either disable compression on the server, or configure exceptions for URLs hosted by that server. Otherwise, in some cases, FortiWeb might expend resources compressing responses that have already been compressed by the server. This can cause performance to decrease instead of increase.
    2. Go to Application Delivery > Compression and select the File Compress Policy tab.

      3. To access this part of the web UI, your administrator’s account access profile must have Read and Write permission to items in the Web Protection Configuration category. For details, see Permissions.

    3. Click Create New.
    4. Configure these settings:

      Name

      Enter a name that can be referenced by other parts of the configuration. Don't use spaces or special characters. The maximum length is 63 characters.

      Compression Type

      Select the compression method for the content type(s) that you specify later:

      Compression Level

      This option is available only when you select Brotli for the Compression Type. Select the compression level. The valid range is 1–11.

      Exclusion Rule

      Select an existing exclusion rule, if any, to apply to the policy. For details, see Configuring compression exemptions.

      Optionally, select an exclusion rule and click the Detail link. The exclusion dialog appears. You can view and edit the exclusion rule from here. Use the browser Back button to return.

    5. Click OK.
    6. To add or remove a content type, click Create New.
    7. In the Content Types list, select the content types that you want to compress, then click the right arrow (->) to move them to the Allow Types list.

      For external JavaScripts, content type strings vary. If you are unsure of the content type string, for maximum coverage, select all JavaScript content type strings. However, due to wide browser compatibility, despite its current deprecated status, many web servers use text/javascript.

      These apply compression only to JavaScripts that are external to a web page — that is, not directly embedded in a <script> tag or inline in the HTML document itself, but instead included via reference to a JavaScript file, such as <script src="/nav/menu.js">, and therefore are contained in a separate HTTP response from the HTML document. Likewise, selecting the text/css content type for compression will only compress external CSS. It will not compress CSS embedded directly within the HTML file. (Embedded CSS or JavaScript are governed by Content-Type: text/html instead.)
    8. Click OK.
    9. To apply the compression policy, select it in an inline protection profile used by a server policy. For details, see Configuring a protection profile for inline topologies.
    See also
    Previous
    Next